runbooks inventoryΒΆ
50 commands for multi-account resource discovery, enrichment, and compliance validation.
AWS Profile ConfigurationΒΆ
All runbooks commands support these common options for AWS authentication:
| Option | Scope | When to Use |
|---|---|---|
--profile PROFILE |
Single account | Developer/operator targeting one AWS account |
--all-profiles |
All accounts (Landing Zone) | Platform team β discovers across all SSO profiles |
--region REGION |
Override region | Non-default region (default: ap-southeast-2) |
--dry-run |
Safe mode | Analysis only, no mutations (recommended for first run) |
--output-dir DIR |
Output path | Directory for generated reports (default: output/) |
--format FORMAT |
Output format | table, json, csv, markdown (varies by command) |
Single Account SetupΒΆ
Copy and configure:
# =============================================================
# AWS Single Account Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
export AWS_PROFILE="your-account-profile"
# Authenticate via SSO
aws sso login --profile $AWS_PROFILE
# Verify
aws sts get-caller-identity --profile $AWS_PROFILE
# Run any command
runbooks finops dashboard --profile $AWS_PROFILE
Multi-Account Landing Zone SetupΒΆ
Copy and configure all 4 environment variables:
# =============================================================
# AWS Multi-Account Landing Zone Configuration
# =============================================================
export AWS_REGION="ap-southeast-2"
## Single account (default fallback)
export AWS_PROFILE="your-default-profile"
## FinOps/Billing profile (READ-ONLY access to Cost Explorer)
export AWS_BILLING_PROFILE="your-billing-readonly-profile"
## Management account profile (Organizations, Control Tower)
export AWS_MANAGEMENT_PROFILE="your-management-readonly-profile"
## Centralized Operations account profile (for shared resources)
export AWS_OPERATIONS_PROFILE="your-operations-readonly-profile"
# =============================================================
# Authenticate all profiles
# =============================================================
aws sso login --profile $AWS_BILLING_PROFILE
aws sso login --profile $AWS_MANAGEMENT_PROFILE
aws sso login --profile $AWS_OPERATIONS_PROFILE
# =============================================================
# Verify connectivity
# =============================================================
aws sts get-caller-identity --profile $AWS_BILLING_PROFILE
aws sts get-caller-identity --profile $AWS_MANAGEMENT_PROFILE
# =============================================================
# Run org-wide commands
# =============================================================
runbooks inventory collect --all-profiles --region $AWS_REGION
runbooks finops dashboard --all-profiles --format table
Environment Variables ReferenceΒΆ
| Variable | Required | Purpose |
|---|---|---|
AWS_REGION |
Yes | Target AWS region (default: ap-southeast-2) |
AWS_PROFILE |
Yes | Default profile when --profile is omitted |
AWS_BILLING_PROFILE |
LZ only | Cost Explorer data enrichment |
AWS_MANAGEMENT_PROFILE |
LZ only | Organizations metadata enrichment |
AWS_OPERATIONS_PROFILE |
LZ only | Centralized Operations shared resources |
RUNBOOKS_TEST_MODE |
No | Set to 1 for offline/mock mode (no AWS calls) |
CommandsΒΆ
| Command | Description | API Type |
|---|---|---|
check-cloudtrail-compliance |
CloudTrail compliance validation | read-only |
check-controltower |
Control Tower compliance check | read-only |
check-landingzone |
Landing Zone configuration check | read-only |
clean-outputs |
Clean output directory | write |
collect |
Full inventory collection (35 resource types) | read-only |
collect-analytics |
Analytics service inventory | read-only |
collect-containers |
Container service inventory (ECS, EKS) | read-only |
collect-messaging |
Messaging service inventory (SQS, SNS) | read-only |
collect-ram-shares |
RAM shared resource inventory | read-only |
discover-lambda |
Lambda function discovery across org | read-only |
discover-rds |
RDS database discovery across org | read-only |
discover-workspaces |
WorkSpaces discovery across org | read-only |
draw-org |
AWS Organizations visualization | read-only |
drift-detection |
Comprehensive drift detection | read-only |
enrich |
Multi-dimensional enrichment pipeline | read-only |
enrich-accounts |
Account metadata enrichment | read-only |
enrich-activity |
CloudTrail activity enrichment | read-only |
enrich-costs |
Cost Explorer enrichment | read-only |
enrich-ec2 |
EC2 instance enrichment | read-only |
find-cfn-drift |
CloudFormation drift detection | read-only |
find-cfn-orphaned-stacks |
Orphaned CloudFormation stacks | read-only |
find-cfn-stackset-drift |
StackSet drift detection | read-only |
find-lz-versions |
Landing Zone version discovery | read-only |
list-cfn-stacks |
CloudFormation stacks across accounts | read-only |
list-cfn-stacksets |
CloudFormation StackSets | read-only |
list-elbs |
Load balancer discovery (ELB, ALB, NLB) | read-only |
list-enis |
Network interface discovery (ENI) | read-only |
list-guardduty-detectors |
GuardDuty detector discovery | read-only |
list-org-accounts |
List AWS Organizations accounts | read-only |
list-org-users |
List IAM users across org | read-only |
list-outputs |
List generated output files | read-only |
list-sns-topics |
SNS topic discovery | read-only |
pipeline-summary |
Inventory pipeline summary | read-only |
recover-cfn-stack-ids |
Recover CloudFormation stack IDs | read-only |
resource-explorer |
AWS Resource Explorer query | read-only |
resource-types |
List supported resource types | read-only |
score-decommission |
Decommission scoring assessment | read-only |
show-profiles |
Display configured AWS profiles | read-only |
tag-coverage |
Tag coverage analysis | read-only |
validate-costs |
Cost data validation | read-only |
validate-mcp |
MCP accuracy validation | read-only |
vpc |
VPC inventory subgroup | read-only |
vpc dependencies |
VPC dependency mapping | read-only |
vpc flow-logs |
VPC Flow Logs analysis | read-only |
vpc nat-traffic |
NAT traffic analysis | read-only |
vpc security-groups |
Security group audit | read-only |
vpc topology |
VPC topology discovery | read-only |
vpc validate |
VPC configuration validation | read-only |
workflow-multi-account |
Multi-account pipeline orchestration | read-only |
workflow-single-account |
Single-account 4-layer pipeline | read-only |
Usage ExamplesΒΆ
# Full inventory collection (35 resource types)
runbooks inventory collect \
--profile $AWS_PROFILE \
--region $AWS_REGION
# 4-layer pipeline: collect β enrich β score β report
runbooks inventory workflow-single-account \
--profile $AWS_PROFILE
# VPC topology discovery
runbooks inventory vpc topology \
--profile $AWS_PROFILE
# Org-wide inventory across all SSO profiles
runbooks inventory collect --all
# Multi-account pipeline orchestration
runbooks inventory --all workflow-multi-account \
--output-dir output/org-inventory/
# Organizations visualization
runbooks inventory --all draw-org
# Decommission scoring across org
runbooks inventory score-decommission --all
Landing Zone Prerequisites
Multi-account commands require:
- AWS SSO configured with profiles for each account
- Management account access for Organizations API
AWS_MANAGEMENT_PROFILEenvironment variable set